CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-54518

jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters but never consults prop.visibleInView(activeView). The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses that check, so a constructor parameter annotated with both @JsonView(AdminView.class) and @JsonUnwrapped is populated from attacker JSON even when a more restrictive view is active. This vulnerability is fixed in 2.21.4 and 3.1.4.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.002

EPSS Ranking 13.2%

CVSS Severity

CVSS v3 Score 6.5

References

Products affected by CVE-2026-54518

Fasterxml » Jackson-Databind » Version: 2.21.0

cpe:2.3:a:fasterxml:jackson-databind:2.21.0
Fasterxml » Jackson-Databind » Version: 2.21.1

cpe:2.3:a:fasterxml:jackson-databind:2.21.1
Fasterxml » Jackson-Databind » Version: 2.21.2

cpe:2.3:a:fasterxml:jackson-databind:2.21.2
Fasterxml » Jackson-Databind » Version: 2.21.3

cpe:2.3:a:fasterxml:jackson-databind:2.21.3
Fasterxml » Jackson-Databind » Version: 3.0.0

cpe:2.3:a:fasterxml:jackson-databind:3.0.0
Fasterxml » Jackson-Databind » Version: 3.0.1

cpe:2.3:a:fasterxml:jackson-databind:3.0.1
Fasterxml » Jackson-Databind » Version: 3.0.2

cpe:2.3:a:fasterxml:jackson-databind:3.0.2
Fasterxml » Jackson-Databind » Version: 3.0.3

cpe:2.3:a:fasterxml:jackson-databind:3.0.3
Fasterxml » Jackson-Databind » Version: 3.0.4

cpe:2.3:a:fasterxml:jackson-databind:3.0.4
Fasterxml » Jackson-Databind » Version: 3.1.0

cpe:2.3:a:fasterxml:jackson-databind:3.1.0
Fasterxml » Jackson-Databind » Version: 3.1.1

cpe:2.3:a:fasterxml:jackson-databind:3.1.1
Fasterxml » Jackson-Databind » Version: 3.1.2

cpe:2.3:a:fasterxml:jackson-databind:3.1.2
Fasterxml » Jackson-Databind » Version: 3.1.3

cpe:2.3:a:fasterxml:jackson-databind:3.1.3

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-54518

Products

Pricing

Contact Us